Expert Comment

What Should Companies’ Top Cybersecurity Concern in 2018 Be?

49 Experts Have Their Say

Industry experts give their thoughts on the cybersecurity priorities for businesses in the year ahead

Share

Share this article

Deploying “Defence in Depth” Tactics

The big four cybersecurity concerns for businesses in 2018 continue to be end user education, privileged access management, multi-factor authentication and identity governance, or ensuring only the right people have the right access to the right things at the right time. If organisations have not deployed these tactics which provide “defence in depth”, then they are doing a disservice to the cybersecurity of the business, its customers and partners.

Open Source Code and Further Ransomware/DDoS Attacks

One of the biggest cyber security concerns is the provenance of open source code, as it provides hackers with the opportunity to easily put backdoors into many locations. Hackers just need to pose as genuine coders, providing decent code to, for example, help Apache alleviate the backlog to get the correct access keys. It would not surprise me if in 2018 we see a major data breach conducted in this way.

Another real concern is ransomware and the distributed denial of service attacks. Last year we saw a number of high profile businesses attacked, including WPP and even the NHS. The nature of the virus, a self-replicating worm meant that the attack spread rapidly and randomly. This attack alone cost WPP over £17m in lost trading hours and developing new cyber security software.

Businesses should always be updating their cyber security protocols; however, it is not just hackers that may affect cyber security policies. With any cyber security breach, it is not just about the financial costs involved (which can be billions of pounds) but also the reputational costs. Rebuilding consumer trust for businesses and insisting that the right precautions are taken over consumer’s privacy and data can take years, and it may never be regained. So, when it comes to cyber security it goes far beyond bottom line and PNL.

The Continuing Costs of Cybercrime

Cybercrime costs will continue to damage companies as criminals get more sophisticated in 2018 and companies shortcut protection and data recovery tools.

Data breaches can be catastrophic for organisations which hold sensitive data, and these types of organisations will continue to be high priority targets for criminals. Delays brought about by these attacks, affect ongoing business relationship and in a surprising number of cases leads to a cessation of business between customers and suppliers. Well known attacks like those in the health service last year are the tip of an iceberg with many companies refusing to go public rather than risk the backlash of losing individual’s and customer’s data.

Business continuity planning is crucial to minimising the impact of any attack, however many companies fail to understand this. Recovering data after an attack is a step forward, however, if it takes too long to get the infrastructure up and running again, the damage is done. It’s crucial to design a business continuity plan that has a tried and trusted recovery point both in time and data. These plans should be regularly reviewed at board level to avoid the plan’s implementation being hampered by lack of budget or knowledge or both.

Companies will also need to foster a culture of security if they are to minimise the risk of being a victim of any attack. CIOs and CISOs need to ensure that every employee within the organisation is aware of the threats they could face, whether it’s a phishing email, sharing passwords or using an insecure network. The cyber security landscape is continuously changing with hackers finding new ways to access information. Hence one-off training sessions will not suffice: creating a culture of consistent awareness of threats is required along with a robust security and continuity plan throughout the business.

Retailers’ Revenue Loss

According to the Cisco 2017 Annual Cybersecurity Report, nearly one in three retailers have suffered revenue losses as a result of a cyberattack. This is because of the sheer volume of customer data retailers possess. With the increase in online shopping, digital marketing and loyalty schemes, this amount of data, and therefore the risk, is only going to increase.

To deal with this growing threat, retailers should take a back-to-basics approach. This should incorporate a full security incident event management policy, developed to cover three main areas.

The first, is protection. This is using the best digital and physical assets that are deployed, maintained, and updated with security by-design in mind. The second, is detection. Using both software and corporate tools to streamline the inter-departmental processes and work efforts needed to spot any gaps in defences and see exploits as soon as they occur. The third, is correction. This is about measuring the time to mitigate any vulnerabilities detected, which can often be aided by a software-based security automation tool but is largely the efforts of trained specialists either by the retailer’s personnel or their contracted third parties via oversight and direction.

By incorporating these three key principles, a retailer can both simplify and tighten cybersecurity. By developing a risk management approach to all aspects of security, product consolidation is enabled as well as the possibility of outsourcing in areas such as infrastructure hosting with a vendor who can best provide in breed integrations with security solutions. The combination of these three solutions, results in reduced complexity, ease of management, and ensures leading edge cybersecurity protection, threat detection, and risk correction.

Seeking Cyber Insurance in Preparation for GDPR

After last year’s high profile cyber-attacks and the prospect of more, 2018 will be the year companies really start to start to seek cyber insurance policies to help them mitigate the costs of breaches, particularly as GDPR fines start to become a sizeable and painful reality. It is becoming clear that avoiding a cybersecurity breach is temporary and that companies of all sizes now need to consider purchasing cyber insurance as this will cover the potentially large cost of dealing with the damage has happened, including the consequences of data theft and downtime. This is particularly important for small and mid-sized businesses, many of which have traditionally taken cyber security as a low priority, as Cyberwrite’s data shows that they continue to have a high risk of suffering ransomwares attack during 2018.

Breaches, Cloud Consumption and Patching Problems

If you have responsibility for security within any size of organisation, you’re probably used to a generalised sense of anxiety and unease with each new security report that comes out. It seems like every year, we have more to worry about, so what should concern you in 2018?

Data breaches: the implementation of GDPR in the EU means that companies will be compelled to notify national data protection regulators within 72 hours of a breach being detected. This is definitely going to increase the costs of compliance in the EU, but will also lead to a slew of data breach notifications across the board, and the principles of the regulation look likely to be adopted [beyond] the EU. Make sure your incident management, response procedures and playbooks are up-to-date and take account of the new regulations. Make sure you know where your critical data is and who is accessing it – be aware of the threat of malicious insiders.

Increasing consumption of cloud services: On-premise deployments of core services such as Active Directory and Exchange are becoming less and less common. Whilst this has security benefits in terms of staying up-to-date with patching and improved end user experience, you need to ensure that there are robust authentication and logging solutions in place to protect your cloud assets. As more of your infrastructure moves to the cloud, you will need to ensure that systems, applications and data are appropriately segmented.

Patching will still be a problem: speaking of infrastructure, we should expect to see serious breaches that could have been defeated or mitigated if critical patches were deployed. Infrastructure vulnerabilities are an easy way for intruders to move laterally through the environment, so make sure that you have applied strict policy controls to limit the impact of a successful intrusion.

Protecting Against Long-Term Data Manipulation

Whilst organisations have traditionally focussed on stopping hackers breaching their networks and stealing their data, there is a growing trend that can go undetected for years, creating havoc and potentially destroying a business: data manipulation. With much of today’s business decision making based on analysis of the data it holds, hackers are starting to play the long game, looking to “monetise” their hacks by attacking the integrity of the business data and betting on their downfall by backing their competitors on the stock exchange.

Some are even using it to get themselves ahead in life, such as the student that changed his grades in the US and then applied for colleges. Without adequate security measures, such as encryption and key management, placed on the data at source and in transit, businesses and institutions may find themselves at the mercy of hackers without even realising the effects for a long time.

Recognising Increasingly Sophisticated Spear-Phishing Campaigns

Organisations are regularly reminding users to be aware of spear-phishing attacks. However, knowing how to recognise them is becoming increasingly difficult as they become ever more sophisticated – fooling even the most seasoned security professionals. This type of attack needs to be a top concern for organisations, as criminals are achieving increasingly high success rates. It’s this success that is further breeding even cleverer and more elaborate threats.

A form of social engineering, spear-phishing usually takes the form of an email that persuades users to click a link or open a folder in an email attachment. Cybercriminals personalise emails that impersonate trusted sources, making them appear to be internal messages. These messages are a popular way of delivering ransomware into an enterprise’s network, causing major havoc for organisations, their customers and even national infrastructure.

Worryingly, it’s likely we’ll see a continuation of these attacks as phishing campaigns become trickier to detect. Making sure employees are vigilant and educated on what to look out for is important but it is only part of the solution.

Attackers take advantage of our natural inclination of trust, exploiting people’s weaknesses when they least expect it. We’re all human; all it takes is for one employee to become victim and a whole database can be compromised. Instead, companies should look to implement more robust security measures to ensure trusted internal communications.

If internal communications were digitally signed, this would effectively stop spear-phishers being able to impersonate a company employee. All employees can then verify that an email from a CEO or CFO really is from a trusted, not malicious source. Many organisations are already adopting stronger methods of security and are looking to extend secure messaging down their supply chains; however, there is still work to be done to eliminate this type of attack.

Software-Based Threats

The top priority, issue and security concern on every company’s list should be software. Software is eating the world, and as programmes advance, bugs are now beginning to eat away at software.

As software becomes increasingly ubiquitous - I fully expect it to be integrated into our bodies within the next five years - the concept of glitches or failures becomes more and more alarming. That’s why we’re on a mission to drive ‘clean code’ and ensure that developers have the tools they need to combat the biggest threats to software today.

While the number of software crises is decreasing, their impact is increasing. We need to take this seriously now, or risk losing everything. Crises like Meltdown and Spectre, or the British Airways crash a few years ago, are the perfect illustration of how software crises can escalate.

I can’t overemphasise how useful automation can be in helping developers protect against software-based threats - AI can be an incredible tool in identifying weak points within a programme’s code, allowing developers to go in and tend to problems as they crop up, and before they escalate.

Ensuring Proper Cyber Risk Training Against Attacks

Three types of attacks are on the rise this year and can have devastating impact on businesses. First is ransomware, which is one of the most common cybercrimes. It involves injecting malicious software designed to block access to a computer system once activated until a ransom is paid. Such attacks are initiated through phishing and spear-phishing emails. DDoS related IoT attacks are also on the rise as the number of connected devices increase.

These involve taking over devices such as security cameras or vending machines to be used as bots. The third attack is a new form of malware called cryptojacking, which involves cybercriminals exploiting the processing capacity of infected computers for crypto mining. Technical challenges and inability to deploy high priced, sophisticated, cyber defences are the two main reasons why businesses remain exposed.

To avoid such situations, businesses need a cost-effective approach to ensure proper cyber risk training for all employees at all levels. 52% of data security breaches are caused by human error, whereas system failure accounts for the rest. But they also must have proper security solutions to defend against threats. Such solutions are best deployed via the network on a security-as-a-service basis.

Communications Service Providers (CSPs) are an integral part on this equation. As the "the internet bloodline" CSPs must ensure they offer "clean pipes" and they can provide network based-security which is powerful and comprehensive, as well as cost-effective and requires minimal to no intervention and maintenance by the organisation. Since CSPs are also major operators of the Internet of Things (IoT), providing security as a service from the network becomes important— especially when IoT manufacturers tend to prioritize cost, time to market, and mobility over security considerations. Because CSPs will be at the forefront of such attacks, they will have to step up.

End User Weak Links

What we once thought was safe is now vulnerable. The reality remains: it is not ‘if’ but ‘when’ an organisation will be breached. The problem continues to rise up more and more as hackers find new entry points into the enterprise and are now leveraging new technologies to their advantage, carrying out highly intelligent cybercrime campaigns today.

As IT security teams implement new and improved ways to keep cyber-criminals out, human and artificial ‘bad bot’ hackers continue to keep their focus on their preferred method of entry: users. People are far easier to crack than a 512-bit hash. End users across the enterprise are constantly being targeted because they are the “weak link” in the chain. Understanding who has access to what and, importantly, what they are doing with that access, continues to be the best way to protect the new ‘human perimeter’ from a breach. It is vital that enterprises improve and evolve their identity governance programmes – this should be the number one concern and priority for companies looking to improve their cybersecurity posture this year.

Consider this: While it may be incredibly easy for a hacker to use social engineering to trick someone into clicking on a link or giving up their login credentials, it is just as easy, if not easier for a hacker to use artificial intelligence to their advantage. A recent study found that when deploying a phishing scheme against humans, it was not the human hacker who had the higher click-through rate but actually the artificial hacker who succeeded more often in converting those malicious click-throughs into successful phishing attacks. This is just one example of how hackers are tackling new innovations and technologies and using it to their advantage. Enterprise IT teams must remain vigilant given this new reality to effectively protect their organisations from becoming the next big data breach.

Overlooking ‘Technology Sprawl’

The concept of ‘technology sprawl’ is often overlooked. Companies too often find themselves fighting the ever-evolving risk of malware and throw all their money and efforts into buying an endless array of tools to mitigate the threats rather than taking a considered and strategic approach. This is counter-productive for so many reasons, including making infrastructures more complex and difficult to manage, accelerating staff burnout and creating vulnerabilities that cybercriminals are increasingly adept at taking advantage of. Companies today don’t need more tools, they need “right” – the right strategy, the right infrastructure, and the right policies and processes.

By eliminating waste in their cybersecurity portfolio and removing redundant or unnecessary products, companies can start to focus on the solutions that have proven business value while simultaneously reducing the number of security vendors they have to manage. On top of this, the time savings for the IT team will free up resources to create strategies and implement tools that allow the business to be proactive in their fight against the cybercriminal – preventing cyberattacks before they happen, rather than deploying a fix after the event.

Making Networks Undesirable to Hackers

How can businesses make themselves less valuable to cybercriminals? It’s cracking this question that should be a top concern for businesses in 2018. If a data breach is almost inevitable in today’s threat landscape, it’s essential that businesses look at ways of making their networks undesirable for hackers out to make a quick buck. There are some basic tips to help towards achieving this:

IT teams should identify their protect surface and map the data flow of sensitive data. In addition they should have total visibility of the hardware and software deployed on their system and how it should communicate so it can be detected if two devices shouldn’t be talking to one another. In addition, enabling application whitelisting, encrypting data in transit and at rest, and enforcing network segmentation makes it increasingly hard for an adversary to gain, maintain, and further develop access and move freely on your network. In essence, this can be summarised in two points: first, adopt a zero-trust security model and, secondly, microsegment or suffer.

This approach will make the life of attackers complicated, making them look elsewhere for a more comfortable target. By taking a microsegmentation and zero-trust approach to cybersecurity, businesses can ensure that they are able to survive, adapt, and endure the evolving motives of cybercriminals.

Phishing/Smishing Exploits Human Nature

A leading concern for organisations is quite simply phishing. It’s no secret that cybercriminals are heavily commercialising their opportunities, actively targeting people and not systems. The reason for this is that they see people as the weak link in the network because we are curious by nature, often busy, and most tend not to think bad things of other people, resulting in an over-trusting mindset when it comes to cyber security.

Hackers are great at exploiting this human nature, using social engineering tactics to gain their victims’ trust and encouraging them to click on malicious links designed to harvest their credentials. People are trusting and if they believe an email comes from a trusted source, they won’t hesitate to open and click on an email. For example, CEO fraud exploits human nature with a vengeance; although most users now know not to click on links in emails from addresses that they don't recognise, many are still willing to take the identity of a sender at face value.

Text message-based phishing attacks (smishing) works in a similar fashion to email-based phishing; the attacker will pose as a bank or financial service provider and attempt to send fake two factor authentication messages or convince the consumer that there’s been “unauthorised access to your account” and urge them to “respond immediately” via the link provided.

To overcome this, organisations must make security awareness a priority. With security awareness training, employees learn how to follow best practice, as well as being empowered to report anything suspicious.

As a result, employees can become a highly effective network of human sensors who will protect themselves both in and out of the workplace, and increase the likelihood of stopping incidents from occurring in the first place. It is important to make reporting effortless for staff by having a button available in each email that they simply click and the security team are notified immediately.

Targeted and Adaptive AI Attacks

The types of cyber threats that a business is subject to is, to some degree, dependent on the size and nature of the business. Whilst we all suffer ongoing threats such as phishing and variations of ransomware, larger corporations will be more likely to suffer denial of service and corporate espionage type attacks than a high street business.

Law firms and other professional services on the other hand, regardless of size, are subject to a broader range of cyber threats due to the nature of the transactions that we deal with.

One growing technology in the legal space is artificial intelligence. Unfortunately, the flip side of this is its emerging use of in cybercrime. This year we are, as reported by the likes of the MIT, likely to see much more in the way of targeted and adaptive attacks driven by AI technology, as well as measures to counter such attacks.

What we can’t lose sight of are the threats that may appear to have diminished only to re-emerge on the back of complacency. It is an ever-changing landscape and good training and vigilance can never be understated.

Developing Trusted Access Strategies

The way organisations work is changing and, as a result, cyber security also needs to evolve; in fact, statistics from Duo Security found that nearly 43% of user logins to work applications now come from outside of the corporate office and network. This means that security today is less about fortifying the perimeter of the network and more about ensuring that only trusted users and devices access a company’s data; a strategy based on a perimeter-less ‘zero trust’ approach.

Most enterprises enable their remote workforce to access work applications through Virtual Private Networks (VPNs). Once they are inside the corporate network through the VPN they are deemed as “trusted.” Many severe data breaches involve attackers taking advantage of this VPN-dependent approach to access. Attackers gain access to the corporate network by either stealing login information through tactics such as phishing or by compromising the end user’s device through malware. Once an attacker logs into a VPN, they are able to move laterally inside the network and eventually gain access to critical data. The approach of trusting a user or a device just because they are connecting from within the corporate network is fast becoming outdated.

A central tenet of this new perimeter-less approach is the concept of trusted access, which establishes that only trusted users and devices can access sensitive and restricted files and applications irrespective of where the access request is coming from. Identity verification measures such as two-factor authentication should be used as standard to ensure a user is genuine and not an imposter with stolen credentials. Likewise, the device itself must be proven healthy and not unsafe. For example, a PC with an unpatched, out-of-date operating system should be blocked from accessing mission critical work applications.

Getting Serious and Proactive with Defence Strategies

In early 2018, we predicted that DDoS attacks will likely get stronger and more targeted in the coming year. Unfortunately that prediction was spot on, exemplified by the emergence of Memcached. The amplified DDoS attack – generating multi-terabit attack volumes – has the potential to generate traffic responses 10,000 – 51,000 greater than the size of request and has continued to cause chaos and spread at a rapid pace. So much so that, according recent research by the Neustar International Security Council (NISC), 92% of organisations agree that these attacks are likely to become the ‘norm’.

So looking forward for the rest of the year and beyond, what are organisations supposed to do in order to protect themselves from Memcached and similar attacks? More than ever before, it is of the greatest importance that organisations make it a priority to strengthen their cyber-defences – fast. This should start with having a clear understanding of what is considered to be normal for their environment – giving them the proper context to isolate and investigate events that aren’t considered normal. But before this can even happen, organisations must put the appropriate controls in place for threat vulnerability management, patch management and ensuring important data is identified and encrypted. This way, they can utilise security solutions in the most efficient and effective way.

Overall, organisations everywhere must get serious and be proactive with their defence strategies – rather than just sitting idly until the next attack has already happened, it’s time to revaluate processes in the midst of the chaos.

Countering the Challenge of the Insider Threat

Organisations spend a lot of money every year on perimeter security, protecting themselves from the outside when the internal threat is as relevant and prevalent as it was in the IT Security Industry over 25 years ago. Yet until recently, managing this has not been seen as ‘critical’ at Board level and so those whose job it is to protect the company have not been given the budget to tackle it.

70% of all data breaches are internal. Why? Because people have access to data that they really should not. Legacy permissions and poor group structures managed through Active Directory are usually responsible for this and it means that IT departments simply cannot manage the problem with native Windows tools. Bad guys trying to get into networks from the outside will also take full advantage of this. However, whilst GDPR has helped to bring the challenge of the insider threat to the forefront and we are starting to see organisations recognising, and more importantly, acting on this, we do expect this to be an ongoing challenge over the coming year.

Covering the Basics

Organisations now need to think about cyber security risks outside of the threats they face on a daily basis.

It sounds cliché, but the biggest cyber security concern for organisations in 2018 is to make sure the basics are covered. Many of the recent breaches that received a lot of coverage, such as The City of Atlanta, CeX, and Equifax, resulted from the fact that systems weren't properly patched or secured.

Attackers didn't have to use 0-day or complex exploits to gain access, they were able to take advantage of well-known vulnerabilities. An organization that takes the time to thoroughly understand what is on their network and what systems are exposed to the public Internet then works to patch and restrict access to those systems will be protected against 90%+ of attacks.

As for other attacks that are on the rise, ransomware continues to be a problem for particular industries. Healthcare and local governments continue to be targeted by advanced ransomware actors, who focus on targets that have limited security resources and can often be shamed into paying. The one new attack that we are seeing this year are cryptocurrency miners. Attackers will either install a JavaScript file or a loader that will use the victim's computer resources to mine cryptocurrency for the attacker. It is too soon to know whether these attacks will be successful enough to become widespread, but there are dozens of cryptocurrency mining campaigns going on at this time.

Finally, in the near term failure to comply with regulations should be their number one priority. So, don't forget the importance of GDPR and the requirements that it places on an organization's cybersecurity posture. Making sure your organization is GDPR-compliant will eat up quite a few resources from your security staff.

Putting Organisations’ Data Houses in Order

The GDPR fits nicely into the broader topic of cybersecurity because it covers the protection of data and raises the stakes by making companies accountable to their customers and to governing bodies. If you’re minimising the data you keep regarding your customers per the GDPR, for example, you’ll have less information an attacker can steal.

Unfortunately, data growth continues to skyrocket, far outpacing the ability to control, manage and protect data assets within many organisations. With the GDPR in full force, companies must be able to act with almost surgical precision to respond to “right to be forgotten” requests for individuals and be confident they’ve removed all relevant data and for the data that still exists, ensure that only the right people have access to it. The GDPR is making organisations put their data house in order. With the GDPR deadline nearing, many companies have taken a hard look at their data – what they have, where it’s located, if they even need to keep it in the first place and if they do, ensure least privilege access to it.

GDPR Compliance

GDPR has been a topic of conversation for a long time, but it remains the case that all companies handling EU citizens’ data should consider it their leading cybersecurity concern for this year. GDPR outlines data security best practices and promotes ‘security by design’ in data processing systems, alongside the ability to audit for compliance. Financial sanctions will be levied against any business systematically failing to comply with GDPR as well as for data breaches.

An organisation’s first step towards compliance is to understand the data it collects, validating the reasons for collection and documenting its lifecycle through the company - including where it’s stored and who has access to it. Once mapped, areas where information is at risk can be identified and addressed. For example, personally identifiable data, which must be protected under GDPR, may be found to be unencrypted when at rest or taken outside of the company. Each area of exposure will lead to a specific cybersecurity solution that is required to move towards full compliance.

GDPR is non-prescriptive in terms of technology. However, Article 32 details the requirement for the ‘encryption of personal data’ and Article 34 notes that if leaked or breached data is encrypted then the requirement to contact each data subject affected is no longer mandated. This means that the organisation will avoid the resultant administrative costs.

Encryption should therefore be applied to all personal data within corporate systems and, even more so, to information stored and saved on media taken outside the business. The cost of standardising on encrypted USB drives, for example, is nominal in comparison to the financial consequences of a data breach – up to the higher of 20 million Euros or 4 percent of the company’s global annual turnover – and their deployment offers a simple step towards GDPR compliance.

Moving to Windows as a Service

For me, the top cybersecurity concern for businesses and IT departments in 2018 should be the move to ‘Windows as a Service’ (WaaS). In January 2020, Microsoft will discontinue updates and support for Windows 7, leaving many businesses with only the option to upgrade to Windows 10 or fall behind on their updates. As we’ve seen recently however, when left to their own devices, few businesses manage to keep on top of their updates and to migrate to a new operating system on time.

In fact, recent research conducted by Kollective found that 46% of businesses have no plan in place to manage WaaS updates. This is a worrying statistic considering that WannaCry and so many of the high profile cyberattacks that happened in 2017 were all caused by outdated software. Yes, the process of migrating a global organisation to a new OS can be tedious and difficult for both IT departments and employees, however the failure to keep up with the latest updates leaves businesses open to a whole host of potential cyberattacks. Very few businesses seem to even be aware of this fact, let alone preparing to address it.

There is a solution to this problem and that can be found in SD ECDNs (software-defined enterprise content delivery networks). Essentially these virtual networks allow businesses to share large files at high speeds, regardless of whether they are still relying on legacy network infrastructures. By distributing an update to multiple machines and then allowing those machines to share the updates amongst themselves, SD ECDNs decrease the bandwidth load on an organisation’s network, helping companies with thousands – or even hundreds of thousands – of terminals stay on top of vital patches and Windows updates.

Securing Internet of Things Devices

From mobile phones and webcams to electronic locks and printers, businesses are investing in more IoT (Internet of Things) devices than ever – and securing these must be a major priority. Connecting additional devices to a network increases the number of entry points, creating more angles for a potential attack.

This is a concern for businesses, who need to utilise the benefits of these devices without compromising on threat protection across their network.

Manufacturers aim to develop IoT products that connect to the internet in a quick and user-friendly way, but this often leaves security as more of an afterthought. With no international standard for securing devices, it’s down to businesses to install tools which have the ability to prevent security issues.

By implementing a multi-layered security strategy, at both the endpoint and network level, SMBs can keep track of potential issues before their security is compromised. Every cyberattack demonstrates behaviour, and detecting this is important. Identifying patterns and anomalies help to build a bigger picture of a malicious attacker which can prevent future hacks.

SMBs must not forget the importance of their own workforce in combatting a threat. Although watertight security is a necessity in the IoT age, the right training will empower employees to identify security issues and alert the right people, helping to shut down a potential attack before the damage is done.

Credential Abuse Attacks

We expect Credential Abuse (CA) to be a huge blot on the threat landscape in 2018. Recent leaks and data breaches have given malicious actors the opportunity to take known user logins stolen from one site, and use them to take over accounts on as many other sites as possible. Harnessing bots to scatter gun stolen credentials across thousands of sites in just seconds, hackers hope that their pot luck approach will turn up gold when details from one site unlock valuable access to another.

Forrester ranks CA number two in its list of the highest threats an organisation can face and the Ponemon Institute estimates the cost of CA can be in the tens of millions per year.

CA ‘attacks’ are hit-and-run by nature and, without assistance from AI, can be very hard to detect, since the login attempt is almost identical to a legitimate user trying to access their account. However, biometrics and AI are excellent ways to separate bots from humans.

Content Delivery Networks (CDNs) can monitor global web traffic to identify bad bots through sophisticated methods such as AI and biometrics, to mitigate their impact by providing a buffer between their customer accounts and malicious actors. For example, Al in the CDN can learn the difference between a real person’s pattern for hitting the keys to type their password and a machine attempting the same login – and then block false attempts from that device across all the sites that the CDN is protecting.

Adopting a Zero Trust Mindset

The biggest threat facing organisations is the changing tactics of cyber criminals. Organisations will continue to face ransomware, malware and DDoS threats and cyber criminals will attempt to recreate successful exploits, but threat actors will modify their tactics to hide their activities through new techniques.

The ongoing digitisation of everything will remain one of the biggest drivers for more effective business cybersecurity. Industry collaboration and government legislation will play greater roles in protecting the global digital world. The security research community will make a greater effort to collaborate to detect and prevent the types of global cyber events we have seen in recent years. In addition, the implementation of General Data Protection Regulation (GDPR), and similar legislation, will drive more organisations to adopt more improved security frameworks or face potentially huge financial penalties.

A mind set change is needed; the current cybersecurity model is flawed because most organisations are simply ‘securing the border’. Breach prevention, even breach detection, are not adequate security postures. They assume that anyone or anything inside the border is trusted until proven otherwise. But this is wholly untrue, as the raft of cyber breaches reveal.

Organisations need to stop building trust into the infrastructure and adopt a zero trust mindset by decoupling security from the complexity of the IT infrastructure and addressing specific user vulnerability. Instead of firewalls, network protocols and IoT gateways, organisations should consider data assets and applications and then determine which user roles require access to those assets.

Building on the existing policies for user access and identity management, organisations can use crypto-segmentation to ensure only privileged users have access to privileged applications or information. It is by creating a zero trust approach to data security first, and only then overlaying any specific compliance requirements, that organisations can lock down the business against the threat and meet growing regulatory demands.

Unsecured Privileged Access

There’s a certain element of detective work required when identifying potential cybersecurity threats to a business. Yet sometimes, the answer to a complex problem could be right under your nose.

While most businesses may consider external threats as their primary concern, one of the biggest threats to an organisation’s network comes from insiders - people from within, spanning from employees to freelancers and on-site contractors - who have elevated levels of access to privileged accounts. According to recent research, businesses place far too much trust in their employees, with 41 per cent of UK respondents stating that they have complete trust in employees with privileged access. This doesn’t bode well for businesses, as placing too much trust in employees is one of the biggest threats that needs addressing.

With tools readily available to businesses, there's no excuse for allowing internal parties unsecured privileged access to critical systems and data. With breaches making headline news on a daily basis, the pressure will continue to mount on businesses to tighten up their defences, meanwhile providing robust training so that insiders are aware of the risks that they could pose.

The Spread of Crypto-Mining

The biggest issue we see this year for companies is the spread of crypto-mining; this is the easiest and quickest way for hackers to monetise your compute power. Unlike crypto-locking, which demands interaction with the victim, crypto-mining is nearly silent. Cyber criminals are exploiting unpatched, vulnerable servers and installing mining software that is tuned to work at level were the victim will not spot the CPU increase. Some hackers have gone even further; they are even patching the servers once they have taken them over to stop other hackers taking them over.

We have also seen a move away from mining Bitcoins to other cryptocurrencies. Bitcoin is a fairly ‘heavyweight’ currency that requires the mining software to download several assets and is harder to scale across an environment. Other cryptocurrencies like Monero are lighter weight, easier to scale out and harder to spot.

Mitigating this threat comes down to implementing a patching strategy to plug the holes, vulnerability scanning to ensure the patching is up to date and finally watching the network with an IDS to spot suspicious traffic.

Determining Classification and Protection of Different Data Types

British businesses are waking up to the importance of cyber security, but we're still a long way behind other nations, especially the US.

In our experience, their vulnerability lies in determining how to classify and protect their different data types. We often speak to British businesses overwhelmed by their data assets – as a result, this breeds a wholesale mentality. However not all data assets are equal, so neither should be their treatment be.

We advise clients that a mature cyber security approach involves looking at data assets like they do their investments. What data do you need to squirrel under the mattress, have easy access to, or want to give to someone else to look after?

Once a business has done this they can assess the risk appetite for each data set and pertinent threats against those data sets – otherwise the permutations and threat surfaces are too big to understand and mitigate against – particularly against ever evolving threats, and the cyber-attack. Once they understand this, companies can decide how secure they need to be; whether it is to a certain level of compliance, or working towards an aspirational level of assurance and a higher Cyber Security Maturity (CSM) score above industry average.

Demonstrating Sufficient Qualification

Companies’ leading concern around cybersecurity should be whether they are sufficiently qualified to tender for contracts and new business opportunities. Suppliers must comply with Cyber Essentials assurance framework in order to be in a position to bid for government contracts – which includes work on anything from roads, schools and hospitals to the armed services.

This Government-backed scheme is a badge that shows a business takes cybersecurity seriously, and increasingly it’s becoming a kitemark that others are seeking out. Designed to guard against the most common cyber threats, it demonstrates a commitment to cyber security – and in turn could reduce the risk of the expense, disruption and reputational damage of a cyberattack.

Research has shown that 43% of businesses experienced a cyber security breach or attack in the last 12 months, so showing your organisation is equipped to do business in the digital economy is critical.

Threats and breaches escalated in 2017. Breaches have grown larger in size. Damage to reputation is becoming a major concern as seen by Facebook, Equifax, Uber all the way to SME and SMB operations.

Most of these breaches were down to poor governance and lack of compliance with technical IT measures – not actually doing what they said they were around looking after and securing data.

Accreditations say that you take online security seriously, with a certificate to prove it.

Being able to demonstrate that your business has a robust level of security awareness places it in a strong position and shows it has a focus on what has become a real and growing threat to organisations large and small.

Maintaining Security Standards with Connected Devices

Every attacker in the world is looking for an easy way in and out of an organisation – the proverbial open door. It’s a war between organisations that defend themselves and the attackers and, as long as organisations try to close doors, hackers will look for new ways in. We have seen organisations investing a lot of money in mechanisms to protect their networks, perimeters and endpoints, so attackers will use the path of least resistance in terms of attack surface – connected devices, especially in a wireless environment.

We have become a very connected society, with a lot of networks and devices all around us, and this is exactly what businesses want. They want their employees to use IoT devices, they want their control systems to be connected, smart and automated, and they want M2M to work correctly. However, organisations are often blind to these devices and have forgotten about security in this area. Therefore we can expect to see many high damage data breaches using this open door of smart connected devices.

Keeping Up With an Ever-Changing Threat Landscape

The threat landscape is ever changing, with organisations needing to keep track on these specific threats, bad actors, and techniques that are eye-wateringly severe – and increasing. 2018’s top risks include:

Enterprise ransomware is a major concern. In 2017 WannaCry was the major catastrophe, leaving large and small organisations with no working IT infrastructure in a matter of minutes. This crippling ransomware epidemic was based on military-grade espionage techniques around a Windows vulnerability, EternalBlue, which fell into the wrong hands. What makes the attacks so effective was that they were essentially immune to traditional endpoint defence technologies that organisations have relied on for 20 years. Defending against ‘government-grade’ attacks requires enlisting new security technologies and approaches that go beyond simple signature-based prevention. Secondly, we have ransomware not only being used by eCrime actors in a means to gain monetisation, but also nation states using these techniques as a method of destruction, meaning the lines are becoming blurred between state and eCrime threat actors.

Supply chain attacks incorporating vulnerable software update packages are a rising threat. Threat actors are using the unspoken trust we have with tools which can be easily leveraged to distribute malicious capabilities. This technique was notably used by the NotPetya campaign in June but was observed throughout the year from eCrime and nation state adversaries. The effectiveness of supply chain attacks observed during 2017, and so far in 2018, could put the supply chain at greater risk going forward as more actors attempt to leverage this tactic.

Business email compromise has expanded tremendously over the past year. Criminals compromise business email accounts via social engineering or another type of intrusion. CrowdStrike has observed different types of scams: Wire transfer attempts and compromises that lead to spam campaigns. CrowdStrike also observed eCrime campaigns using the Netwire remote access tool tied to Nigerian fraud – affecting companies in multiple sectors.

To meet such threats enterprises need to be able to beat the 1 hour 58 minutes average 2017 breakout time – how long it takes for an intruder to jump off the initial compromised ‘beachhead’ and move laterally to other machines on the network.

Ideally, we need to be able to detect the threat within 1 minute; start investigating within 10 minutes; and have contained and fully remediated the incident in one hour.

Neglecting Basic Measures

Businesses’ biggest concern should be that they are neglecting the basics of cybersecurity, and therefore providing an open door to attackers. It’s easy to scoff at measures such as password hygiene and staff training whilst there are so many challenges organisations face and try to keep on top of such as disruptive tech, software changes, cloud migrations, and data analytics.

New security technologies and techniques such as AI and advanced behavioural analytics are important weapons in the fight against cybercrime, but on their own they won’t prevent opportunistic attacks by low-skilled criminals. It’s like investing in a top-of-the-range, IoT-enabled home security system, only to leave the front door wide open every day you leave for work.

Attackers are looking for any vulnerability in the network – a badly-configured firewall, for example, or poorly-patched system. They also target human weakness, which is why phishing and spear-phishing continues to be such a lucrative tactic for criminals. No-one looks forward to the prospect of conducting a security maturity assessment with glee, but this is nonetheless a critical undertaking for any organisation that values its (and its customers’) safety. Similarly, reviewing disaster recovery and business continuity plans are crucial for minimising the impact of any potential breach that does occur.

By all means invest in the latest generation of security tools, but don’t think that these technologies free you from the fundamental work of reviewing your entire security estate, patching quickly, managing identities and permissions, and training all employees – even IT workers – in how to spot and report phishing attempts.

Fighting AI with AI

Technology can provide a more immersive and rewarding experience, but as more processes become digitised, any machine being connected to the internet will create new challenges for those managing the security of the targeted networks. These are risks that both nation state hackers and hacktivists will take advantage of.

One of the biggest concerns around political affairs is the loss of connectivity during pivotal moments that results in the loss of visibility of real time data to the public. While attribution is difficult, hackers will use this opportunity to their advantage in an attempt to destabilise a government by promoting a certain political view point or candidate.

Adding to the confusion of an attack, attribution can be almost impossible making it difficult for certain victims to determine if the attack came from an individual or a nation state.

We’re also seeing that humans are being outpaced by AI and certain kinds of automation. We are already facing a barrage of bad bots fighting good ones. The black market for off-the-shelf attacks is maturing, anyone responsible for network or application security will experience first-hand just how automated cyber-attacks have become.

It will become apparent that humans simply can’t process information quickly enough to beat the bots. The only hope will be to fight AI with AI.

Will AI be used to jam communication links, plunge cities into darkness, set oil rigs on fire or destroy emergency services? Those may be worst-case scenarios, but they point to the need for every enterprise to consider how AI could both damage and protect it.

Andrew Foxcroft, country manager and regional director for the UK, Ireland and Nordics, Radware

Creating a Culture of Security

Cybercrime costs will continue to damage companies as criminals get more sophisticated in 2018 and companies shortcut protection and data recovery tools.

Data breaches can be catastrophic for organisations which hold sensitive data, and these types of organisations will continue to be high priority targets for criminals.

Delays brought about by these attacks, affect ongoing business relationship and in a surprising number of cases leads to a cessation of business between customers and suppliers. Well known attacks like those in the health service last year are the tip of an iceberg with many companies refusing to go public rather than risk the backlash of losing individual’s and customer’s data.

Business continuity planning is crucial to minimising the impact of any attack, however many companies fail to understand this. Recovering data after an attack is a step forward, however, if it takes too long to get the infrastructure up and running again, the damage is done. It’s crucial to design a business continuity plan that has a tried and trusted recovery point both in time and data. These plans should be regularly reviewed at board level to avoid the plan’s implementation being hampered by lack of budget or knowledge or both.

Companies will also need to foster a culture of security if they are to minimise the risk of being a victim of any attack. CIOs and CISOs need to ensure that every employee within the organisation is aware of the threats they could face, whether it’s a phishing email, sharing passwords or using an insecure network.

The cybersecurity landscape is continuously changing with hackers finding new ways to access information. Hence one-off training sessions will not suffice: creating a culture of consistent awareness of threats is required along with a robust security and continuity plan throughout the business.

Upskilling the Next Generation

The top cybersecurity concern for organisations in 2018 is the skills gap. As cyber warfare increases, governments need to upskill the next generation of defenders. Figures around the cyber skills shortage make for sobering reading.

A report from Frost & Sullivan and (ISC)² found that the global cybersecurity workforce will have more than 1.5 million unfilled positions by 2020. Both private and state schools need strong cyber programs and academies should look to develop cyber skills in children from disadvantaged backgrounds.

This will hopefully prevent talented teenagers being sucked into the dark side. Although at the same time that industry struggles to recruit talent, university graduates are finding it hard to start their careers in cyber security. We need to improve opportunities for entry level positions including internships, apprenticeships, more cyber classes in schools, and formal cyber programs.

This also requires a look beyond STEM as careers in threat intelligence can better suit analytical degrees, due to the need to be able to research, analyse and draw conclusions, which can give them the edge over those with a scientific mindset. There are some bright new leaders in the industry that are focusing on education and engaging young talent in the industry and this has to continue.

The Rise of ‘Fileless’ Malware

In 2018, organisations can expect to be dealing with a sharp increase in the rise of “fileless” malware, with a shift in the payload of these types of malware from ransomware to cryptomining exploits. As this is a trend that has followed on from the tail of 2017, most organisations are looking at either replacing or augmenting their existing endpoint protection solutions to combat the new malware.

Organisations are also going to be looking at technologies and solutions that reduce alert fatigue. It is well documented that there is a cyber-security skills shortage, and any technology that reduces the efficacy of the existing team by being noisy and ineffective will be replaced.

Understanding External Networks

Recent high-profile data breaches imply a business is only as safe as its weakest link, which can exist internally or as part of your supply chain.

Once you have your security measures in place, you should turn your attention to your external network to check partners are in sync with your own security values.

Take the time to really understand your business relationships. Which vendors are using what data, how are they using it and what protections do they have in place?

The answer isn't holding back on outsourcing, but to implement the correct systems and checks at every stage of a partnership. Adding a contractual obligation for high-security standards, instant notification if a breach occurs and a clause indemnifying you from loss due to a security law is recommended.

Regular third-party audits, like sending out simple questionnaires, is a good method to get written confirmation of security protocols. In the worst-case scenario, you’ve got a paper trail to prove you take security and GDPR requirements seriously.

GDPR May Provide Incentives to Malicious Actors

Social engineered phishing, and its good friend ransomware, will continue to advance with new strains no doubt on the horizon. The Spring Break vulnerability may yet reveal itself as a high level data breach for Equifax copy cats who missed the memo on patching (CVE-2017-8046).

IoT will be high on the list for both security breaches through misconfigured cloud storage and botnet DDoS, as devices are advancing at breakneck speed and reckless abandon in an effort to be as ironically "smart" as possible.

As a potential dark horse, there is a possibility of GDPR increasing the incentives on malicious actors to approach data breach opportunities not simply for the value of the PII but for the significant potential disruption new, unprecedented penalties may cause for the targeted organisations.

Testing Software Security Early and Often

As businesses continue on their digital transformation journey, their dependency on software increases, which in turn creates a greater surface for hackers to attack. Recent research has revealed that 77% of all software applications have at least one vulnerability when first scanned. The top cybersecurity concern for businesses will therefore be the risk posed by vulnerabilities in software, which cybercriminals will look to exploit in order to exfiltrate data, inject ransomware or mine cryptocurrency.

To mitigate these attacks, organisations will need to ensure that their software is secure, and an effective way of doing this is to test for vulnerabilities in web and software applications early and often. In this way vulnerabilities can be discovered and fixed before they can be exploited by hackers.

Phishing Attacks Increasingly Innovate

Phishing, including threats such as ransomware and CEO fraud, remain the #1 concern for security professionals because these email-based attacks continue to bypass layers of technology to make their way into employee’s inboxes.

By enabling every employee to be the last line of defence to detect and report suspicious activity, organisations can respond faster to attacks in progress and decrease hacker dwell time on their network.

Attackers are becoming increasingly innovative with their phishing techniques; with attacks presenting an increased localised understanding of markets, as well as improved use of language and dialect, creating more targeted attacks that are harder to catch.

Timely attack alerts and intelligence is now critical to minimising the impact of attacks and must extend across an organisation, feeding into a holistic approach to counter phishing attacks. By empowering an organisation’s employees to intercept and report suspicious emails at delivery, it can trigger company-wide security orchestration to reduce the damage done, expel hackers from the network and shut down an attack as early as possible.

Malware Attacks on Critical Infrastructure

As we connect more of our critical infrastructure to the internet, the scope for attacks with real-world consequences is constantly increasing.

For example, the Ukrainian BlackEnergy malware attack in 2015 left 230,000 people without power or heating after hackers compromised several power distribution centres. This attack ended after a few hours and affected a small proportion of the population, but in 2018, after three years of technological advancement, malware attacks could conceivably have a much more long-lasting and widespread impact.

The industrial sector may see an increase in the number of malware-based attacks on critical infrastructure over the next year, with potentially devastating consequences. A resurgence of BlackEnergy malware against the UK’s power stations could create blackouts across the country. Or a successful attack on the rail signalling network could affect any train travelling at any time.

The industrial sector needs to be acutely aware of the potential danger posed by malware attacks like that in Ukraine in 2015. Malware like BlackEnergy is constantly evolving, so companies need to implement an intelligence-led defence to ensure they have the latest insight into the types of attacks they are likely to face.

Coping With the Cyber Skills Deficit

As security threats become more common and increase in sophistication, the massive deficit in skills for highly trained security professionals is a reality many companies will have to face in 2018 and beyond.

This shortage in skills makes not only finding the right people to fill the positions more difficult, but it also increases the competition among those who are skilled - so companies may find these employees harder to retain.

By taking advantage of a new approach to this problem using gamification, employers can encourage staff to keep their skills current by completing virtual labs and award them accordingly, as well as identify new talent within the organisation and promote healthy competition to make it fun at the same time.

Identity & Credentials Theft Will Continue Significantly

Cybercriminals and hackers will continue to focus on identity theft and stealing credentials in 2018. With more than 4.5 billion identities stolen in 2016 – which is more than everyone using the internet – it will continue to be a target, because the more cybercriminals know the more they can influence us.

Identity theft has increased in record numbers in recent years because it is much easier to steal a trusted insider’s credentials and bypass traditional cyber security controls than it is to break through a company firewall; deploying a privileged access management solution can help an organisation reduce this risk significantly.

There are not many cybersecurity solutions that can help companies reduce costs by automating the management of passwords, empower happy employees by removing one of the major headaches of cyber fatigue, meet the tough requirements of compliance and, at the same time, make it more challenging for cybercriminals to break in. So while identity and password theft is common practice, many organisations will be looking at how to reduce this risk.

Connecting the Digital Dots for Key, Actionable Intelligence

For each new type of cyber threat that emerges, new technological devices are devised to address the risk.

This has resulted in organisations deploying a large and complex security infrastructure which is difficult to manage and costly to maintain.

It is estimated that most large enterprise organisations have between 10 and 25 different security vendor technologies deployed across their environment. As networks become more complex, so do the security controls aligned to them.

As a backdrop to this, the cyber enemy is evolving. Hacktivism is now a recognised threat to most organisations. Cybercrime is a fast-growing area with more and more criminals exploiting the speed, convenience and anonymity of the Internet to commit a diverse range of criminal activities.

And now we see the increasing involvement of nation states. Cyberwarfare has become an integral part of all developed countries’ defence strategies.

Intelligence is key, actionable intelligence. By understanding our computerised ecosystems, understanding the “normal” and recognising the interconnected environments upon which all infrastructure now operates, we have the potential to identify the abnormal and react.

If and when the targeted attacks begin, connecting the digital dots is going to be the key to ensuring the survival or any business.

Cybersecurity Playing a Greater Role in Digital Transformation Projects

It has been described by some as the next industrial revolution and one thing is for sure, the rapid pace of the digital era is leading to digital disruption and a huge rise in digital transformation projects. In the excitement of using new technologies for competitive advantage, or indeed the fear of being left behind by digital applications, it is perhaps easy to see how cybersecurity can get overlooked in the race to take first mover advantage.

To truly maximise the opportunities that digital transformation provides, we see cybersecurity playing a crucial role in unlocking the true value of these projects. If consumers have confidence that the new digital applications they use offer both benefits and security, they are more likely to adopt them – and continue to use them.

Increasing Voice Authentication Sophistication

As the reliance on and adoption of voice assistants and smart devices increases, a major security risk is facing enterprises operating in the space. Voice spoofing or voice manipulation and how best to effectively authenticate looms over the security of the voice-controlled world. This is especially important for enterprises that operate a call centre, such as retail banks, credit card companies and insurance agencies.

Existing voice biometric authentication services don’t have the level of sophistication to detect fraudsters and authenticate customers. This leaves enterprises and consumers alike exposed to sophisticated hacking measures like voice synthesis. Without a layer of machine learning-based biometric solution that is not robust to, for example, voice aging, speech cadence and background noise can lead to frustration amongst legitimate customers who may become locked out of their accounts.

Pindrop’s latest authentication solution passively analyses short utterances of a caller’s speech, the overall audio signal of the call and the touchtone behaviour, regardless of whether that caller is interacting with an automated or live call centre agent, and as such it is a significant update for the fraud detection industry. Not only will the update enable enterprises to protect their customers from prolific fraudsters but provide a truly seamless customer experience as well.

Securing the Cloud

Enterprises running business critical applications and services in the cloud must change the way enterprises secure their data and applications. Operating in the cloud changes security requirements.

Research from our Application and Threat Intelligence (ATI) Research Center highlights that securing the cloud is a top priority in 2018. As highlighted in Ixia’s 2018 Security Report, over 90% of enterprises are concerned about data and application security in public clouds. Since 88% had experienced a business related issue from a lack of visibility into public cloud traffic, it’s easy to see why.

The gap between cloud operations and security operations is growing. Nearly 73% of public cloud instances had one or more serious security misconfigurations. The combination of cloud growth and a high number of security misconfigurations suggests there will be more breaches in 2018 where cloud is a factor.

As cyberattacks evolve, more focus should be on visibility and detection. Enterprises need a strong security process that includes continuous testing as well as visibility down to the packet level to identify and control malicious behaviour before it impacts their business.

Employing End-to-End Encryption

Despite the increasingly sophisticated cyber-attacks facing businesses in the UK, the main threat to organisations is actually in failing to get the basics right on security. According to PhishMe research, email phishing accounts for 91% of all successful cyber-attacks. With this in mind, it’s clear that much and more must be done by companies to secure their internal and external communications. Whether that means implementing secure email techniques, training staff or introducing encrypted communication and collaboration software to shield staff from the threats posed by email.

Likewise, large enterprises and government institutions in the UK and around the world are facing the new reality of increased amounts of cyber-attacks that cripple networks and communications infrastructure. A significant number of businesses do not have adequate security measures in place to defend against such an attack, meaning that a bad attack can easily become a catastrophic one. Finally, businesses are failing to employ end-to-end encrypted communication methods across the board, leaving data and IP wide open to hacking, snooping and industrial espionage attempts.”

The ‘Co-Processor’ Sleeper Threat

Botnets, DDoS and ransomware attacks, vulnerabilities in IoT devices and Open Source Software, and the generally poor state of information security, dominate the discussion of cybersecurity. These issues continue to be omnipresent, but a sleeper threat – and therefore one of the most significant risks - is so-called “co-processors”.

I personally believe 2018 could see the biggest threats being against co-processors (i.e. chips that control things like cellular and Wi-Fi radios, instead of doing the main processing). Modern operating-systems have introduced techniques like application sandboxing to unauthorised access to data while the commercial app stores do a relatively good job of screening for malware.

However, co-processors tend to run their own firmware and this can be vulnerable which is particularly worrying when you consider they have a privileged communication path to the main processor. Another important feature of co-processors is they are designed to be used by multiple Original Equipment Manufacturers (OEMs). This means firmware and its documentation is easier for attackers to access, which gives them a head-start pinpointing vulnerabilities.